Gate features requiring CSP unsafe-eval on a non-default Cargo feature
#1647
Comments
That doesn't work, because it's possible for any library to enable the feature. So you have to check the In addition, this is trickier than it may seem, because there are quite a few APIs which have implicit eval behavior, and they need to be carefully blacklisted manually (e.g. In addition, it's always possible for a crate to use Personally, I would be in favor of getting rid of all of the eval things completely. There's very very few legitimate uses for eval, and it's always possible to use |
alexcrichton
added
help wanted
Motivation
wasm-bindgen and its associated crates (
js_sys,web_sys, etc.) should be compatible with normal CSP configurations, i.e. ones that don't whitelistunsafe-evalor unsafe-inline. Right now, it is too easy to accidentally to accidentally make a wasm-bindgen-based crate incompatible with good CSP practices. Further, it is hard to audit the internal implementation of wasm-bindgen and its associated crates for CSP problems. See #1641 for example.Proposed Solution
Create an
unsafe-evalCargo feature that controls access to theFunctionconstructor, eval, and other features that result in JS that would requireunsafe-eval. The feature shouldn't be marked as a default feature so that one can easily audit a depending crate's Cargo.toml to see if these features are in use. Instead, bump to the next incompatible version number since this is not a backward-compatible change. Test in CI the default configuration and the configuration with theunsafe-evalfeature enabled. Change the implementation of as many APIs as possible to work in the default (non-unsafe-evalconfiguration, e.g.web_sys::window(). This may require such APIs to be redesigned.The text was updated successfully, but these errors were encountered: